As reported by FortiGuard researchers, the gamers who’re actively looking for alt lists are targeted, as they download and run the files (executables) without second thoughts. Also, the ransomware is improperly configured, causing files to break down even after paying the ransom.
Luring With Minecraft Alt Lists
With over 140 million active players worldwide, Minecraft is a popular sandbox game and is the top-seller in Japan. Cashing on its popularity is the Chaos ransomware group, which is seen targeting Japanese players with fake alt lists. Alt Lists are so common in the gaming community, which are used by players for bannable offenses. These include a list of spare accounts created randomly or brought from others, and used for various frustrating activities against other players. Since these are regularly used and widely looked out for, the Chaos ransomware gang created fake alt lists with their executables included and is distributing through gaming forums. Unsuspecting players who download the files and run them, infect themselves with Chaos ransomware. The Chaos ransomware is tuned to find files with 2MB or less, and append a string of random numbers or alphabets to the file extension after encrypting them. Files with over 2MB size will have random bytes injected, making them irrecoverable even after paying the ransom. A reason for this is unknown but could be an incorrect configuration or poor coding of the ransomware executable. The threat group is also leaving a ReadMe.txt for demanding ransom, which is 2000 yen ($17.56) in pre-paid cards. Thus, gamers are advised not to open any suspecting files from unknown sources, and if that’s the case, it’s recommended to scan them with VirusTotal before proceeding with the installation and running.